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Abstract. I transform the trapdoor problem of TLT£ into a linear 
algebra problem. 



I. Introduction 

The problem of solving systems of multivariate polynomial equations 
is a well-known hard problem. In complexity theory, it is well-known to 
be an ./VP-complete problem. Furthermore, even if we limit ourselves 
to the problem of solving systems of multivariate polynomial of degree 
two equations, we have again an AA'P-complete problem. Therefore, it 
has been paid a lot of attention, since the invention of the idea of the 
VJC cryptography, by Dime and Hellman [DH76]. 

A lot of cryptosystems have been proposed since then, where an 
eavesdropper is asked to accomplish the hard task of solving systems 
of quadratic equations. However, most of them had short lives. The 
information that an eavesdropper had on the shape of the private key 
usually sufficed to compromise the security. Some of their cryptanalyses 
aimed to recover the private key, or something equivalent, in the sense 
that gives the same privileges. Other cryptanalyses reduce the problem 
to accessible exhaustive searches, and so on. Recall that the ultimate 
task of the cryptanalysis is recovering cleartexts rather than recovering 
meticulously the whole set of the numberlets of the VJC [COU]. 

In this paper we focus on UTE. It is a VJC cryptosystem first pro- 
posed by Patarin [Pat96]. It is one of the modifications of a cryp- 
tosystem first proposed by Imai and Matsumoto [IM85], after having 
successfully cryptanalyzed it. 

In its main version, its VJC is a system of n quadratic polynomial 
equations in n variables with coefficients in a finite field F q , practically 
F 2 . Its private key is: 

• a basis, up to an isomorphism, of an overfield IK D F q , [IK : 
Fg] = n, as an F q - vector space; 

• a single univariate polynomial / of a certain form, with coeffi- 
cients in K; 

• two invertible affine transformations of IK. 
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Practically, p = q = 2. However, cryptosystems can be set up for 
any choice of p, q. For simplicity, hereon we assume only that p = q. 
The other case can be treated almost identically. 

In the our crypt analysis, we find another sparse univariate polyno- 
mial, such that its knowledge reduces eavesdropping to the task of 
solving a single univariate polynomial equation. Its solving in general 
is an A/"P-complete problem. Due to its further structure, in the case 
of TLFE its solving is a pure linear algebra matter. 

We call the single polynomial that we find in public an alias of the 
VJC. All of the task of recovering it can be performed within 0(n 6 ) 
bit operations. Recall that n is actually the only security parameter to 
the legitimate user, and that the trapdoor problem is subexponential 
in it. 

We assume that the reader is already familiar with TCJ-S. 

Most of the symbolic manipulations throughout this paper are done 
by means of Singular, Macaulay2, and CoCoA. If there ever are any 
calculus mistakes, it is because of the little part done by hand. In any 
case, the calculus errors in the examples do not prejudice the algorithms 
they illustrate. 



Let the parties committed to the tasks be: 

• Alice who wants to receive secure messages; 

• Bob who wants to send her secure messages; 

• Eve, the eavesdropper. 

Alice chooses two finite fields ¥ q < K, and a basis fa, fa, ■ ■ ■ , fa of K 
as an F q - vector space. In practice, q = 2. However, it can be any p r , 
for any p prime, and any r G N. 

Next she takes a univariate polynomial of the form: 



with coefficients in K, and two affine transformations: S, T : K — > K; 
one left, one right. Let dj be the degree (private data) of f(x). 

With manipulations that we skip in order to save space, she generates 
her VJC; a set of n quadratic polynomials of degree two, in n variables. 
The interested reader may find details in [IM85, IM89, hfe, Tol03]. 

Her private key is: 

• the basis B of K as an F g -vector space; 



2. The Cryptosystem 



(1) 




• S, /, T. 
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3. The Cryptanalysis 

Applying invertible affine transformations is equivalent to compos- 
ing with permutation affine polynomials. So, Eve knows that S o f o T 
in K[x] is a certain univariate polynomial of the same form like (1), but 
generally of an enormous degree. This is easily seen if one observes the 
general form of such a compositum. So, S o f o T is rather sparse, too. 

Let iS, T denote the affine polynomials corresponding to the respec- 
tive affine transformations, too. Eve can represent: 

(2) T = t + t x p ° + ... t n _ x x^ = (x + t)o (t x p ° + ■■■ + t n _ x x^ X ) . 

Next, Eve knows that S is a permutation polynomial. So, it has a 
single root. Let it be s'. So, we have: 

(3) S = s+s x p °-\ \-s n - 1 x p " 1 = (s x p °-\ \-s n -ix pU 1 )o(x—s'). 

So, Eve can think of S o f o T to be of the form: 

{S X P ° + ■■■ + S n „iX P " _1 ) O (x - S') O / O (x + t) O (t X P ° + • • • + tn-iX^ 1 ) . 

It is easily seen that the polynomial F — (x + s') o f o (x + t) is 
another polynomial of the same shape and degree of /. So, Eve may 
assume that the transformations S and T really are linear rather than 
affine, and that the private polynomial is a certain F. She can omit 
the translations without any loss. 

Let Eve fix the canonical basis of K, or a basis at her choice, too. She 
may assume to apply a nondegenerate linear transformation C (that 
she does not know, but she need not) to the private basis B of K, and 
to S o / o T in K[x]. So, she obtains the canonical basis / of K, and 
another univariate pseudoquadratic polynomial A = SofoTo£. As 
T o C is just another linear transformation, Eve can assume that she 
knows the basis, and the polynomial is of the form S o / o T . 

Definition 3.1. The Hamming weight of a univariate polynomial is the 
maximum of the Hamming weights of the exponents of the monomials 
with nonzero coefficients. 

In order to calculate this single univariate public polynomial SofoT, 
Eve writes down the pseudoquadratic polynomial of degree at most 
q n — 1 in its general form: 

(4) A d x d + A^x 11 - 1 + ■ ■ ■ + A lX + A , 

where she considers the A, like variables. She includes in such a poly- 
nomial only monomials which' s exponents have Hamming weight at 
most two. So, her number of variables is at most n 2 l " n + n. 
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Next, Eve has to do at most n ^ n +n evaluations to the VK. So, she 
obtains a linear system of at most ^f±™ _|_ n equations in the n2 + n + n 
variables A^. Solving it in IK enables Eve to recover A = S o f o T 
in the form of a univariate polynomial with coefficients in IK. It is a 
public knowledge that A(x) exists, and is unique. So, we expect that 
the n P 1 + n evaluations are necessary and sufficient. 

Now Eve has reduced eavesdropping problem to the problem of solv- 
ing a single univariate polynomial equation of a certain form and struc- 
ture within its field of coefficients. She possesses the private key, indeed 
an alias of its. The only problem to Eve is that such a polynomial gen- 
erally is of a huge degree. However, Eve knows that it is isomorphic to 
a very low degree polynomial of a certain form. 

Definition 3.2. Two polynomials a(x), b(x) € F q [x]/(x q — x) are 
called isomorphic iff there exists a permutation polynomial c(x) such 
that a(x) = bo c(x) mod (x q — x) or a(x) = c o b(x) mod (x q — x). 

It is obvious that the above definition sets up an equivalence relation 
in the ring F q [x}/ (x q — x). 

Let us now split both the private and the public polynomials / and A 
into three pieces: the quadratic part, the linear part, and the constant 
term. Our important observation here is that the linear transforma- 
tions sends the quadratic part of / into the quadratic part of A; the 
linear part of / into the linear part of A, and the constant term of / to 
the constant term of A isomorphically and separately; without stirring 
the parts. Besides, none of the transformations changes the constant 
part. So, we assume the constant part of the polynomial we are looking 
for to be known. 

The quadratic and linear part of A define respectively a quadratic 
and a linear form: Q,L : K n — > K. The compositions of / with the 
matrices S, T bring the respective forms into new forms. So, such 
compositions correspond to joint bases change for these forms. 

The important observations of the paragraph above will help us to 
bring the trapdoor problem into a pure linear algebra problem. 

Let us get rid for now of the constant part, and pick it up for last. 

We write down their matrices. In characteristic two, the formula 
that associates a symmetric bilinear form (i.e., a symmetric matrix) to 
the quadratic form is: 

(5) b(x,y)=q(x + y) + q(x) + q(y). 

Alice has limitations on the degree d of /. Indeed, if it is too big, 
the number of the undesired solutions grows a lot. Besides, if she goes 
far away with d, the problem becomes hard to her, too. In any case, all 
what we are looking for, is to render Eve's position as good as Alice's. 
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Therefore, we know that the matrix of the quadratic form of the 
public polynomial has a tiny rank. We bring it into the canonical 
form. This process corresponds to a basis change of K n for A. We 
apply the same basis change to the matrix of the linear form. 

Up to now, we have obtained two matrices, transpose, (those that 
bring the quadratic polynomial into the canonical form), and a polyno- 
mial. The polynomial is the sum of the associated polynomials to the 
matrices of the new quadratic and linear forms, and of the constant 
part. This polynomial has exactly as many quadratic monomials as / 
does. The problem now are the monomials of the linear part. They 
generally still preserve their huge degree. 

Well, it is a public knowledge that we can apply to the new linear 
form matrix a basis change that brings most of its into the canonical 
form, apart the minor of its in the same position with the nonzero 
minor of the new quadratic matrix. Doing so, and applying the same 
basis change to the quadratic matrix, we get rid of most of the linear 
monomials, too, and do not cause any change to the quadratic polyno- 
mial. The new polynomial associated to the new quadratic and linear 
matrices is more or less of the same degree as /. So, Eve is able to 
solve it. 

So, she has a polynomial and two matrices that indeed put her in 
the same position with Alice in decryption. This completes breaking 
UTE. 

Remark 3.3. The matrices that Eve finds are with coefficients in K. 
Those of Alice instead, with coefficients in F. This is not any sort of 
problem. Besides, it is a public knowledge that Eve should as well limit 
herself to transformations with coefficients in ¥, and obtain an alias of 
the key, anyway. In practice, there is no reason to do so. 

3.1. For most of the rest of this paper we give a step-by-step example 
of how do we practically recover A(x), and then on how do we actually 
choose well a pair of linear transformations that enable us to solve it. 

4. A Toy Example 
We are given the following toy VK, from Wolf [Wol03]: 

{£l + £3 + XiX 2 + X1X3 + X 2 X 3 
X3 + £1X3 + x 2 x 3 
X\ + X 2 + £3 + XiX 2 + x 2 x 3 + 1. 

All what we know besides the P/C equations, is that the base field is 
F2, and that the degree of field extension is 3. In some fashion, we will 
have these data public. Without them, Bob will be unable to encrypt. 

We fix the basis t 2 , t, 1 of K = F 2 3 as an F2- vector space. We choose 
it at our pleasure. We take K = ¥ 2 [t}/ (t 3 + t + 1). Again, we choose 
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the irreducible polynomial of degree n from F 2 [t] for generating K at 
our pleasure. 

Now we write the general form of the polynomial we are looking for; 
an alias of the private polynomial /. It has at most 3 2 = 9 terms. 
Explicitely, in this case it is of the form: 

(7) a + bx + cx 2 + dx 3 + ex 4 + fx 5 + gx 6 . 

Now we evaluate the VIC in 7 points: x = 0, l,t, t + l,t 2 ,t 2 + l,t 2 + t. 

The toy values of the parameters render the wrong idea that we will 
have to evaluate a generic-coefficients polynomial in the whole set of 
the elements of the overfield. Indeed, it is very far from being like that. 
We need only n 2 evaluations. Card K = p n , instead. 

From the evaluations we obtain the following system: 

' a = 1 

a + b + c + d + e + f + g = t 2 

a + tb + t 2 c+ (t + l)d + {f + t)e + {f + t + l)f + {f + l)g = 
< a + (t + 1)6 + (t 2 + l)c + t 2 d +(t 2 + t + l)e + tf + {t 2 + l)g = 
a + t 2 b + (t 2 + t)c + {f + l)d + te + {t + l)f + {t 2 + t + l)g = t 2 
a+{t 2 + l)b +{t 2 + t + l)c + if + t)d +{t + l)e + t 2 f + tg = t 2 + 1 
k a + {t 2 + t)b + tc+{t 2 + t + l)d + t 2 e + if + l)f + (t + l)g = 1. 

We solve this system, and find the our alias key: 

(8) A(x) = t 2 x 6 + (t 2 + l)x 5 + (t 2 + t + l)a; 4 + (t 2 + l)x 3 + (t 2 + t)x 2 + 1 . 

As the polynomial we are looking for is unique, the solution to the 
system above exists, and is unique. Now Eve has only to solve the 
equation A(x) = y in order to recover x. Even though it is of an 
enormous degree, the number of solutions that Eve finds is equal to 
those that Alice is expected to find. This is a public knowledge. Eve, 
too, can descard undesired solutions by the same means that Alice does. 
Much the same like Alice. The last task for Eve is that of recovering 
two suitable matrices that lower the degree of A(x). 

5. Conclusions 

5.1. In TiTS the VK hides a single univariate pseudoquadratic poly- 
nomial. In any fashion, this polynomial is very sparse. It has at most 
n 2™ + n terms of a certain well-known shape. So, in any case, Eve 
can recover it in 0(n G ) bit operations, for n the degree of the field 
extension. Recall that n is Alice's only security parameter, and that 
the trapdoor problem is already only subexponentially harder with it. 
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5.2. Even if we take the private polynomial to be of higher Hamming 
weight, the amount of calculi required to recover it is almost the same. 
Recall that the size of the VK. is already almost impractical. 

5.3. The problem of solving a single univariate pseudoquadratic poly- 
nomial equation upon finite fields is an A/'P-complete problem [KS99] . 
So, it is reasonable to look for cryptosystems that provide it as a trap- 
door problem. The experience up to now has shown that hiding poly- 
nomials does not help the security of a cryptosystem, restricts choices, 
and renders the size of the VJC impractical. The privileged position of 
a legitimate user must rely elsewhere. 
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